Post on 25-Jul-2020
1
Daniel MartinsApplication Engineer – MathWorksDaniel.martins@mathworks.fr
Increasing Embedded Software ConfidenceModel and Code Verification
2
What is the Cost of Software Failure…
$7,500,000,000
Ariane 5
Rocket & payload lost
3
What is the Cost of Software Failure…
Casualtiesdue to radiation overdose
6
Therac-25
4
Where do you want to discover and fix errors?
Model
Generated Code
Vehicle TestingIn Service
Pre sales Post sales
5
Using Model-Based Design
It is easier and less expensive to fix design errors early in the process when they happen.
Model-Based Design enables:
1. Early testing to increase confidence in your design
2. Delivery of higher quality software throughout the workflow
6
Gaining Confidence in our Design
Effort / Time
Confidence
Ad-hoc testing
Design error detection
Functional& structural tests
Modeling standards
Model & code equivalence checks
Code integration analysis
7
Application: Cruise Control
70 km/h
Control speed according to setpoint
8
System
Inputs OutputsFuel Rate
Control Module
Shift Logic
Control Module
ECU
system
Legacy c
ode
ECU
Application: Cruise Control
2Cruise
Control
Module (MBD)
1
9
System
Inputs OutputsFuel Rate
Control Module
Shift Logic
Control Module
ECU
system
Legacy c
ode
ECU
Application: Cruise Control
Cruise
Control
Module (MBD)
10
Application: Cruise Control
Cruise_onoff
Brake
Speed
Coast set
Accel reset
Inputs
Engaged
Target speed
Outputs
Cruise
Control
Module (MBD)
11
Gaining Confidence in our Design
Effort / Time
Confidence
Ad-hoc testing
12
Ad-hoc Tests
New “Dashboard” blocks facilitate
early ad-hoc testing
13
Gaining Confidence in our Design
Effort / Time
Confidence
Ad-hoc testing
Design error detection
14
Finding Design Errors: Dead Logic
15
Finding Unintended Behavior
Dead logic due to “uint8”
operation on incdec/holdrate*10
Fix change the order of
operation 10*incdec/holdrate
Condition can never be false
16
Gaining Confidence in our Design
Effort / Time
Confidence
Ad-hoc testing
Design error detection
Functional& structural tests
17
Simulation Testing Workflow
Structural coverage
report
Did we completely
test our model?
Did we meet
requirements?
Review functional
behavior
Design
Requirements
18
Requirements Based Functional Testing with
Coverage Analysis
19
Did We Completely Test our Model?
Model Coverage
Analysis
Potential causes of less
than 100% coverage:
Missing requirements
Over-specified design
Design errors
Missing tests
20
Gaining Confidence in our Design
Effort / Time
Confidence
Ad-hoc testing
Design error detection
Functional& structural tests
Modeling standards
21
Model Advisor – Model Standards Checking
22
Gaining Confidence in our Design
Effort / Time
Confidence
Ad-hoc testing
Design error detection
Functional& structural tests
Modeling standards
Model & code equivalence checks
23
Code Generation with Model-to-Code Traceability
24
Equivalence Testing:
Model vs SIL or PIL Mode Testing
Model
Testing
SIL or PIL
Mode Testing
Coverage 100%
25
Code Equivalence Check Results:
Model vs Code
Code Coverage
26
Gaining Confidence in our Design
Effort / Time
Confidence
Ad-hoc testing
Design error detection
Functional& structural tests
Modeling standards
Model & code equivalence checks
Codeintegration analysis
27
System
Inputs OutputsFuel Rate
Control Module
Shift Logic
Control Module
ECU
system
Legacy c
ode
ECU
Code Integration Analysis
Cruise
Control
Module (MBD)
Cruise
Control
Module (MBD)
1
Cruise
Control
Module (MBD)
1
28
Fuel Rate
Control Module
Shift Logic
Control Module
ECU
system
Legacy c
ode
ECU
2Cruise
Control
Module (MBD)
1
Code Integration Analysis
Cruise_onoff
Brake
Speed
Coast set
Accel reset
EGO Sensor
MAP Sensor
Inputs
Gear
Engaged
Target speed
Fuel Rate
Outputs
29
Fuel Rate
Control Module
Shift Logic
Control Module
ECU
system
Legacy c
ode
ECU
Cruise_onoff
Brake
Speed
Coast set
Accel reset
EGO Sensor
MAP Sensor
Inputs
Gear
Engaged
Target speed
Fuel Rate
Outputs
Inaccurate
scaling for
speed
Finding Dead Code During Integration
De
ad
co
de
Cruise
Control
Module (MBD)
2
30
Finding Dead Code with Polyspace
Dead code
Maximum target speed = 90Target speed parameter
propagated to “Cruise_ctrl.c”
[0 … 40]
31
Polyspace Code Analysis
static void pointer_arithmetic (void)
{
int array[100];
int *p = array;
int i;
for (i = 0; i < 100; i++) {
*p = 0;
p++;
}
if (get_bus_status() > 0) {
if (get_oil_pressure() > 0) {
*p = 5;
} else {
i++;
}
}
i = get_bus_status();
if (i >= 0) {
*(p - i) = 10;
}
}
Source code painted in green, red, gray, orange
Green: reliablesafe pointer access
Red: faultyout of bounds error
Gray: deadunreachable code
Orange: unprovenmay be unsafe for some
conditions
Purple: violationMISRA-C/C++ or JSF++
code rules
variable ‘I’ (int32): [0 .. 99]
assignment of ‘I’ (int32): [1 ..
100]
Range datatool tip
32
Conclusion:
Model-Based Design Verification Workflow
Model VerificationDiscover design errors at design time
Code VerificationGain confidence in the generated code
Workflow approved by TÜV SÜD for development of safety-critical software in accordance with
ISO 26262 (automotive), IEC 61508 (industrial), EN 50128 (railway), IEC 62304 (medical devices)
33
Key Takeaway
It is easier and less expensive to fix design errors early in the process when they happen.
Model-Based Design enables:
1. Early testing to increase confidence in your design
2. Delivery of higher quality software throughout the workflow
34
Change the world by
Accelerating the paceof discovery, innovation, development, and learning
in engineering and science